In Linux computing, system security is the highest priority. Standard users or system administrators always take certain precautions to ensure the safety of the system and its users.
We have already discussed many topics related to system security (get the link at the bottom of this article). However, today we will focus on ensuring the safety of the user accounts.
Having a Linux user account means you have to ensure that your account should have no password so that anyone can easily access it.
You do not have to repeatedly enter your password and don’t worry, you can secure your sensitive files by placing (.
) at the beginning of their name.
That’s what you were doing, correct? WRONG, if you are a normal user or system administrator then RIGHT NOW you need to check all of your system users with an empty password by following this guide.
But before we jump to the topic of finding users with an empty password you need to understand the fields in the /etc/shadow
file where passwords are stored.
Table of Contents
What is a Shadow File in Linux?
A shadow file in Linux is used to save user password information in multiple fields, each separated by a colon. The file is owned and managed by the root or superuser, as you can see below.
trendoceans@linux:~$ ls -l /etc/shadow
-rw-r----- 1 root root 1613 Sep 5 14:40 /etc/shadow
The line below represents the single-user account representation inside the shadow file.
trendoceans:$y$j9T$tHnf4rJC7ssYEcUF9SNkaY8yRwxh/:19162:0:99999:7:::
Below is detailed information about each field.
- Username: A valid user account that exists on the system and is used to log in.
- Password: User encrypted password in hash format. If the user has not been assigned any password, then the value of this field will be empty. Otherwise, if the user account is locked, the (
!
) will be placed. - Last password change: This field shows when the last time the user password has been changed, expressed as the number of days since Jan 1, 1970 (Unix time). The value
0
represents the user must have to change their password on the next login, and the empty field means the password ageing features are disabled. - Minimum: This field holds the number of days left before allowing the user to change their password. If the field is empty, then the user does not have any minimum password age. However, the value can be updated using the
chage
command. - Maximum: This shows the maximum number of days the password is valid after that user is forced to change the password. The
0
value represents a feature that is disabled. - Warning: Represent the number of days left to show a user warning message about their password expiration. Therefore, users can update their passwords before expiration to avoid account lock.
- Inactive: The number of days the user is allowed to log in after the password has expired.
- Expire: Shows the number of days in UNIX format after which the user account will expire.
To find the user account with an empty password or locked account, you need to focus on the second field. So, let’s see what the different ways are to find the empty password and solve it in Linux.
Find Empty Password User Account in Linux
I will show you three ways to find a user account with an empty password on your Linux system:
Finding All User Accounts with an Empty Password in Linux
Using a sample awk program you can check the second field in the shadow file is empty. If the condition is true it will return the specified message.
trendoceans@linux:~$ sudo awk -F":" '($2 == "") {print $1 ": has no password."}' /etc/shadow
james: has no password.
david: has no password.
You can use the getent
command to do the same job of finding a user account with a null password on Linux.
trendoceans@linux:~$ sudo getent shadow | grep '^[^:]*::' | cut -d: -f1
james
david
The above methods will find and list all the existing users in your system with an empty password.
Finding a Specific User Account with an Empty Password in Linux
You can use the passwd
command along with the -S
flag specifying the account username
as an argument to check for an empty password.
trendoceans@linux:~$ sudo passwd -S james
james NP 09/05/2022 0 99999 7 -1
The above command will give the account status in three possible values:
- LK: The user account is locked.
- NP: The user account has no password.
- PS: The user account has a legal password.
For Debian, instead of LP, NP, or PS, you will get the values in L, N, and P formats.
Finding User Account in Lock State
Whenever you create an account with useradd
command and do not set the account password your account will be in a lock state.
Execute the following command to find all the user accounts in lock state in Linux:
trendoceans@linux:~$ sudo awk -F":" '($2 == "!") {print $1 ": is lock user account."}' /etc/shadow
sam: is lock user account.
Execute the following command to find a specific user account in a locked state in Linux:
trendoceans@linux:~$ sudo passwd -S sam
sam L 09/05/2022 0 99999 7 -1
The L or LK represents that the user account is in a locked state.
Set User Password in Linux
Having no password (or locked account) is not a serious threat to personal computing unless you share your system with others. However, it becomes a target for attackers in the cloud or system administrators.
To avoid this problem, you can just set a strong password for your empty password or lock your account using the sudo passwd username
command, as shown below.
trendoceans@linux:~$ sudo passwd -S james # Checking the account state before updating password
james NP 09/05/2022 0 99999 7 -1
trendoceans@linux:~$ sudo passwd jame # Updating james account password
New password:
Retype new password:
passwd: password updated successfully
trendoceans@linux:~$ sudo passwd -S james # Status after updating password
james P 09/05/2022 0 99999 7 -1
For lock user’s accounts, follow the same above step to unlock the account and protect it with a secure password.
Lock User Account in Linux
If you want to have an account in a locked state (which will prevent it from doing many things) and accidentally unlock it by following our guide.
Then use the passwd
command with the -l
flag to specify the account username
, as shown below.
trendoceans@linux:~$ sudo passwd -S sam # Before locking the user account
sam P 09/05/2022 0 99999 7 -1
trendoceans@linux:~$ sudo passwd -l sam # Locking the user account
passwd: password expiry information changed.
trendoceans@linux:~$ sudo passwd -S sam # Checking the status after locking the user account
sam L 09/05/2022 0 99999 7 -1
That’s all for now. As promised, below are the few links to follow which make your system more secure.
- How to Restrict Script/Application Permission using AppArmor on Ubuntu/Debian
- How to enable and disable a firewall in Ubuntu?
- Debian/Ubuntu: Configure knockd on Server for Port Knocking
- How to Check whether port is Listening or currently Use in Linux
Bookmark our site and subscribe to our newsletter to stay ahead in Linux security updates and information.
If you have any queries or questions related to this topic, then feel free to tell us in the comment section.
Innovative tech mind with 12 years of experience working as a computer programmer, web developer, and security researcher. Capable of working with a variety of technology and software solutions, and managing databases.